5. Dezember 2018

At DockerCon Europe 2018, Israel Vega from Microsoft and Steven Follis from Docker (@steven_follis) had a session called „Avoiding an identity crisis“ talking about Windows / Active Directory authentication for containers. A really good introduction and also a lot of interesting information if you are already working with win auth in containers. For example I was fully convinced that delegation is not working, but that is just wrong (fortunately). So as soon as the recordings appear, I would suggest to watch that session. At the same time user PleachiM opened an issue in the GitHub repo of nav-docker stating that win auth against Azure Active Directory Domain Services (AAD DS) does work, which was only quickly covered in the DockerCon session, so I decided to give it a try

The TL;DR

Ok, maybe a bit more detail: If you setup AAD DS and make sure that the VM hosting your container is in the right virtual network and subnet, you can then create gMSAs and use them in your containers to get win auth. Through that setup you can also verify that for win auth with Windows Server 2019, the gMSA name and the container hostname no longer need to be identical.

The walkthrough of my setup

As Israel and Steven did a very good job explaining (almost) everything happening in my walkthrough, I won’t try to replicate that and instead just point you to the recording. I will only highlight things specific to my setup. Here are the steps2:

Create a „Windows Server 2019 Datacenter with Containers“ VM which we will use to run the containers

On that VM do the following:

Join the AAD domain through Server Manager as you would do with an on prem AD and reboot.

Run the following scripts with reboots as mentioned. This is well explained in the DockerCon session, the only thing special is that we are creating our own OU as we can’t create gMSAs otherwise (see https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-create-gmsa). I am using „gMSAs“ as the name of my OU, which you can change if you want and „DC=ARSSOLVENDI,DC=ONMICROSOFT,DC=COM“ is the name of my domain, so you need to adapt that to your domain. Also „test19-1“ is the name of the VM.

With that we are set up and can create the gMSA. Again, I am very creatively naming it „gmsa“ but of course you can also change that. In the next part we create the gMSA, install and test it and then download the credential spec module which is in turn used to create the credential spec file. If you are not sure what is happening here, please watch the recording

Now we are prepared to actually run a container using the credential spec. After it startd, you can run the basic checks if win auth is correctly set up: Using nltest to check the parent domain and find out if querying works: